https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902353#M470771 <P>We recently upgraded from 1.3 (no nmap probe option available) to 2.1 (defaults to policy nodes having nmap probe enabled).</P><P>&nbsp;</P><P>Long story short - it's profiled a bunch of our devices improperly as cisco-router. Xerox &amp; Ricoh printers, some apple devices, etc. Seems random. Apparently it gathered info that the device is a Cisco 3925 running this version IOS, or a 6506 running that version IOS...</P><P>&nbsp;</P><P>How exactly does NMAP determine OS version? The probe description mentions it looks for open ports and OS version. Surely it relies on more then just open ports to determine a specific version.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>operating-system</TD><TD>Cisco 6506 router (IOS 12.2)</TD></TR><TR><TD>operating-system-result</TD><TD>Cisco 6506 router (IOS 12.2)</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>operating-system</TD><TD>Cisco 2811 router (IOS 12.2 - 12.4) (accuracy 95%)</TD></TR><TR><TD>operating-system-result</TD><TD>Cisco 2811 router (IOS 12.2 - 12.4) (accuracy 95%)</TD></TR></TBODY></TABLE> Fri, 02 Aug 2019 22:12:44 GMT Y C 2019-08-02T22:12:44Z https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902353#M470771 <P>We recently upgraded from 1.3 (no nmap probe option available) to 2.1 (defaults to policy nodes having nmap probe enabled).</P><P>&nbsp;</P><P>Long story short - it's profiled a bunch of our devices improperly as cisco-router. Xerox &amp; Ricoh printers, some apple devices, etc. Seems random. Apparently it gathered info that the device is a Cisco 3925 running this version IOS, or a 6506 running that version IOS...</P><P>&nbsp;</P><P>How exactly does NMAP determine OS version? The probe description mentions it looks for open ports and OS version. Surely it relies on more then just open ports to determine a specific version.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>operating-system</TD><TD>Cisco 6506 router (IOS 12.2)</TD></TR><TR><TD>operating-system-result</TD><TD>Cisco 6506 router (IOS 12.2)</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>operating-system</TD><TD>Cisco 2811 router (IOS 12.2 - 12.4) (accuracy 95%)</TD></TR><TR><TD>operating-system-result</TD><TD>Cisco 2811 router (IOS 12.2 - 12.4) (accuracy 95%)</TD></TR></TBODY></TABLE> Fri, 02 Aug 2019 22:12:44 GMT https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902353#M470771 Y C 2019-08-02T22:12:44Z https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902435#M470780 <P>&nbsp;</P><P>&nbsp;<A href="https://www.comparitech.com/net-admin/the-definitive-guide-to-nmap/#OS_Scanning" target="_blank">https://www.comparitech.com/net-admin/the-definitive-guide-to-nmap/#OS_Scanning</A></P><P>&nbsp;M.</P> Sat, 03 Aug 2019 09:00:15 GMT https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902435#M470780 Mark Elsen 2019-08-03T09:00:15Z https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902447#M470783 <P>Well, I guess what I should say is... regardless of what it uses, if it's this inaccurate what's the point? And the idea how it favors Cisco products is amusing. It's forgivable if it recognizes an ipad as an iphone... but a printer as a 6506? Really?</P> Sat, 03 Aug 2019 10:34:08 GMT https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902447#M470783 Y C 2019-08-03T10:34:08Z https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902491#M470787 If not enough ports are open, there is something called an aggressive OS lookup that is done causing the misinterpretation of the operating system. ISE uses the operating system guess from nmap.org. It is an open source resource for nmap implementation.<BR /> Sat, 03 Aug 2019 14:30:59 GMT https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3902491#M470787 Surendra 2019-08-03T14:30:59Z https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3903164#M470790 <TABLE><TBODY><TR><TD>operating-system</TD><TD>Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)</TD></TR><TR><TD>operating-system-result</TD><TD>Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>That's an apple device - so it thinks it's wild guess was 99% accurate.</P><P>&nbsp;</P><P>Sounds like turning it off was the right thing to do. It's a surprise this is enabled by default if it's known wild guesses like this can happen.</P> Mon, 05 Aug 2019 15:17:44 GMT https://community.cisco.com/t5/network-access-control/strange-nmap-behavior/m-p/3903164#M470790 Y C 2019-08-05T15:17:44Z